Other Hardware

Wiki Resources

Sponsored Links

This is the first step I took in working towards getting a DHCP-DDNS-enabled Unslung box up and runnning. The DHCP and Dynamic part of this are documented at IntegrateDHCPandDynamicDNS. What follows are the steps to create a working primary DNS server.

Install

Get an Unslung system up and working. I used Unslung v6.8 Beta for mine, running on a 512Mb flash drive (until I can pick up a 2.5” laptop disk from eBay. It will give significantly better performance). Update, add unslung-feeds, update again. I also install openssh and coreutils by default.

Install bind:

ipkg install bind

This will install a copy of bind9.

Configuration

Now to configure it. There's so much contradictory material on the Web about configuring bind that it's easy to see why people struggle. The following steps work for me. And they do correctly resolve non-fully qualified host names, contrary to my earlier findings.

For hygiene reasons, I created all my configuration files in the /root/ directory and copied them into the /opt/etc/named/ directory each time I was ready to test the configuration. You may want to do this in a non-root user directory.

The overview of the process is:

Write the required system config files:

named.conf

Write desired zone files:

db.localhost

db.localhost.rev

db.leedomain.com

db.192.168.1.rev

Write a file for lookups that cannot be internally resolved:

root.servers

All of the above files will eventually go into a directory called /opt/etc/named/. Check if it is there and create it if it isn't by typing:

mkdir /opt/etc/named

Create an rndc.key file:

/opt/sbin/rndc-confgen -a

This should create a file called rndc.key in /opt/etc/named/. You may not need this if you are not going on to do dynamic DNS. It's part of the system that allows other applications - such as an rndc-enabled DHCP server – to update bind's confiiguration files. Actually, you may not need it if even you do go on to work on DDNS. That's because the optware bind package also installs dnssec-keygen, which appears to also create a key suitable for rndc applications to use. In reading on this, I have not found my way through the ins and outs of each key-creation method.

Once you've created all the files, copy the bind configuration and zone files from /root/ (or wherever you created them) to /opt/etc/named. Then start the server for testing.

That's the overview. Here are the configuration and zone files in more detail.

Named.conf

Notes about this file.

The 'logging' section is commented out until after testing is complete. This is because this logging will squirt bind's start-up messages into syslog and bind's running messages into a user-specified log. Keeping them all together during testing - in the system's messages log - makes testing and troubleshooting easier.

Testing

At this point you could start the bind server by issuing a 'start' argument to the initialisation script that the ipkg installation routine installed. But I advise you to open another ssh session to the server and watch the syslog file in realtime as you start the bind server in the original ssh window. Once you've opened the second ssh session, issue the command:

tail -f /var/log/messages

to see incoming messages as you start the bind server.

Now go to the original ssh window and start the bind server by issuing the command:

/opt/etc/init.d/S09named start

All being well you should see the cursor return to a command prompt. In the second window, you should see action and error messages (if any!).

Useful things to look out for here are:

Is the word 'error' showing up anywhere? Typically, it shows up through typos in the naming of zone files, that shows up as a file not found error.

Syntax problems in the named.conf file will be indicated with a line number after the file's name.

Fix any errors, copy the repaired files to the /opt/etc/named/ directory and restart the bind server with the command”

/opt/etc/init.d/S09named restart

Watch that /var/log/messages file for errors.

If the sever looks as though it started correctly, you can test if it is visible and working to your LAN clients. I test that it is visible by using nmap on a separate Linux box, with the command:

nmap -sS <DNS_server_IP>

You don't have to use -sS. I do recommend you scan all the server's ports though so that you know what else is visible on that machine.

Assuming that nmap revealed that the server is listening on DNS port 53, you can continue to use the Linux client to test it. The following command will ask the system to resolve www.bbc.co.uk.

dig @<DNS_server_IP> www.bbc.co.uk

In the result that comes back, you should see a section called 'ANSWER SECTION'. It should contain an IP address that a known-working DNS server gives you (or a nearby IP address, at least). Here's how this test looks on my Unslung DNS server:

Now that we know that our server is working, let's see if it is correctly supplying our local, manually-entered client IP addresses. In the LAN zone file, we added a host called SEANAS1? at 192.168.1.78.

Copy the edited named.conf to /opt/etc/named/ and restart the server. Doing this will leave /var/log/messages to catch system problems, such as a failed bind start up, but leave your specified log file to catch bind's running problems.